Resources

Selected articles

Offline Autoruns Revisited - Auditing Malware Persistence

Investigating WMI Attacks

Reconnaissance Detection

Investigating PowerShell: Command and Script Logging

Device Profiling with Windows Prefetch

ESE Databases are Dirty!

What is New in Windows Application Execution?

Mo’ Shells Mo’ Problems – Web Server Log Analysis

Getting Started with Linux Memory Forensics

Computer Forensics How-To: Microsoft Log Parser

NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

OpenSaveMRU and LastVisitedMRU

Finding Registry Malware Persistence with RECmd

Cloud Storage Acquisition from Endpoint Devices

SANS FOR500: Windows Forensic Analysis - Updated for Windows 11 and Beyond

Power Up Memory Forensics with Memory Baseliner

Updated Windows Forensic Analysis Poster

WORKSHOPS

https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395/

Cobalt_Strike_Detection_via_Log_Analysis.pdf

Videos

slides

Cobalt_Strike_Threat_Hunting-Tilbury.pdf

Investigating_WMI_Attacks_Tilbury_2018.pdf

Know_Your_Credentials_2017_Tilbury.pdf

LessonsIncidentResponse_2016_PREZ.pdf

Tracking_Deep_Panda_Web_Shells_2013_Tilbury.pdf

Geolocation_Forensics_2013_Tilbury.pdf

APT_Hiding_in_Plain_Sight_2011_Tilbury.pdf

Report abuse